Great thanks! How do I differentiate between Windows and non-Windows machines in the policies. I am more interested in stopping private Windows machines than Mac or Linux. Is is a case to looking at the client type, meaning having multiple lines for the internal employees each with a different client version?

I have also seen that I can check if the machine is in a specific AD group, has anyone had any success with this and will it also work with Mac (if they are registered in the domain)?

Please first have a good read through R80.20 Remote Access VPN Administration Guide and afterwards, after digesting the conatined information, ask the questions that have been left over !

I think best solution doing that will be using Secure Configuration Verification (SCV).
The client is checked for compliance before they can connect.
Follow Secure Configuration Verification (SCV) 

Wolfgang

Hello,

Thanks fo reply. In fact I read about SCV already but I am a bit lost in all the flavours and products. 

So SCV will not check compliance for Mac OS, which I think will make device non-compliant immediately upon connecting to VPN. My overall challenge is very simllar as for original poster.

company laptop (only windows) -> Remote Access -> resource A, B

any other device (windows + Mac OS) -> Remote Access -> resource A

I was investigating as well SmartEndpoint suite, but at first try it looks good, but probably not the right tool to achieve such setup. 

This is a very interesting topic that would be very nice to have in a GUI.

What I read from sk sk147416 about SCV is that it also requires a desktop policy, so we have to go to the old SmartDashboard to create a firewall policy. Ok, that's doable but doesn't that require a higher license and EndPoint Security?

=> The compliance checks is supported by Endpoint Security Client, Check Point Mobile for Windows, Full Suite version

With the active marketing the names of the vpn client are changing every year :'s

I thought Check Point Mobile for Windows (apparently new name for EndPoint Connect) is not able to use a desktop policy but apparently can use SCV. This is confusing. So we create a fake desktop policy and enable Policy server and then we edit the scv text file.

Let's say it just works then:

SCV can check a registry key as well: Registry Monitor: Verifies System Registry keys, values, and their contents. 

So we could just add a key somewhere using a GPO and then we have an easy way to check the clients. Of course this will then only work for Windows. I noticed you could create exceptions so you can allow some access to those who fail the check.

I'd like to see Check Point's recommendation or a real how-to guide to do this. Does anyone have a link for that? The sk on itself is already pretty good though so if I'd have the time I can start trying this out.

A lot of current home workers are using their own personal computer instead of their company laptop to VPN in so it seems really interesting to be able to control this.

Hi Jeroen,

It's not a official Check Point guide but I wrote a detailed howto on my blog: https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html

This covers both the gateway and endpoint configuration.

Let me know if anything is not clear.

Ruan

Hi there,

Does anyone know what happens when Mac OS connects to the gateway where SCV check is enforced? SCV does not support Mac OS, so does it mean such client will be marked as non-compliant?

Connection is not allowed until you set the following:

Traffic from Mac OS is dropped and "SCV client configuration is not verified" error is displayed 

Wolfgang

Many thanks for your reply. TAC is still working on another issue regarding Desktop policy installation problem, which is blocking me to actively test it.

This looks very promissing indeed, as in such case even without enabling :allow_non_scv_clients (true) I can setup SCV exception to allow non-verified clients to some VPN resources.